0

I'm trying fix a site vulnerability, it is "Improper Input Handling" attack raised by WhiteHat. Let's say my website is www.mywebsite.com and there is hacker's website www.hacker.com

whenever there is a request send to www.mywebsite.com with modified "Host" header point to www.hacker.com, my site will create a redirect to www.mywebsite.com along with whatever the url it was. To fix this I tried below tomcat virtual host configuration but still it's redirecting to other website.

<Host name="defaultlocalhost" appbase="whatever">
           <!-- allow addresses to these host -->
            <Valve className="org.apache.catalina.valves.RemoteAddrValve"
                    allow=".*\.mywebsite1\.com|.*\.mywebsite2\.com"/>
</Host>

So, my question is, is it the right approach to prevent this host header attack ? If yes, what I did wrong that still not working? (The ultimate goal is, if it is not the legit Host that been passed in, the request should be discard/ignored/return 404 but not redirect with 302)

Pradeep
  • 1
  • 1
  • Read https://serverfault.com/questions/850955/tomcat-virtual-host-to-prevent-improper-input-handling-attack again, the `defaultlocalhost` host config shouldn't have a `Valve`. – tgdavies Sep 12 '21 at 00:04
  • @tgdavies As per your comment I tried removing Valve. Now in my server.xml I have only but after I test through below curl command it's still returns 302. Expecting 404. Below curl command I am using for testing. Curl command: curl -isk -H "host: host.whitehatsec.com" "https://mywebsite1.com/43535333?host_header=host" – Pradeep Sep 13 '21 at 08:34
  • For the trick you are using to work, the `` containing your host, must have `defaultHost="defaultlocalhost"`. – Piotr P. Karwasz Sep 13 '21 at 13:13
  • @PiotrP.Karwasz Can you elaborate , Is this what you are referring. ` ` Do I need to keep both Engine configuration pointing to localhost and defaultlocalhost, Is this right? Any more changes needed? – Pradeep Sep 13 '21 at 20:00
  • Does this answer your question? [Tomcat Virtual Host to prevent Improper-Input-Handling attack](https://stackoverflow.com/questions/44054591/tomcat-virtual-host-to-prevent-improper-input-handling-attack) – Piotr P. Karwasz Sep 13 '21 at 20:23
  • Yes, the `defaultHost` attribute must point to the empty host configuration your created. If you leave the _"default"_ value `localhost`, all requests for unknown hosts will still go to your `localhost` virtual host. – Piotr P. Karwasz Sep 13 '21 at 20:25
  • Yes I tried "allowHostHeaderMismatch" didn't work ,new Engine with defaultHost also I added still it's redirecting. – Pradeep Sep 13 '21 at 21:48

0 Answers0